IDS mailing list archives
Re: Active response... some thoughts.
From: Chris Travers <chris () travelamericas com>
Date: Fri, 31 Jan 2003 10:22:58 -0800
Hi-- I had an additional idea relating to quasi-active response. For example--An IDS could have hooks into a routers filtering tables in order to temporarily ban that IP address. This has the advantage of the RST in that all inbound traffic from the attacker would be stopped, but would create less traffic on the gateway than a RST would. Additionally this could also be used against connectionless protocols such as UDP and ICMP.
It is more flexible, could be implimented on a timer to minimize the damage of false alarms, etc.
Best Wishes, Chris
Current thread:
- RE: Active response... some thoughts. Brian Laing (Feb 03)
- <Possible follow-ups>
- Re: Active response... some thoughts. Chris Travers (Feb 03)
- Re: Active response... some thoughts. Scott Wimer (Feb 05)
- Re: Active response... some thoughts. Thomas H. Ptacek (Feb 05)
- Re: Active response... some thoughts. Chris Travers (Feb 05)
- RE: Active response... some thoughts. Pete Herzog (Feb 06)
- RE: Active response... some thoughts. Gonzalez, Albert (Feb 05)
- RE: Active response... some thoughts. Rob McMillen (Feb 06)
- Re: Active response... some thoughts. Ali Saifullah Khan (Feb 05)
- RE: Active response... some thoughts. Abe L. Getchell (Feb 06)
- Re: Active response... some thoughts. fr0ck9 (Feb 05)
- RE: Active response... some thoughts. Rob Shein (Feb 07)